I would of thought it should be possible to use Google Analytics without consent under the GDPR if you are not using the advance advertising features that require the Google's EU user consent policy. You would need turn on the IP Anonymisation feature and strip out any customer IDs, order IDs, etc. before sending page URL to them. You would still need consent under the ePrivacy directive, but this could be implied in most cases.

I can't see many customers allowing analytics cookies if given a choice.

I would of thought it should be possible to use Google Analytics without consent under the GDPR if you are not using the advance advertising features that require the Google's EU user consent policy. You would need turn on the IP Anonymisation feature and strip out any customer IDs, order IDs, etc. before sending page URL to them. You would still need consent under the ePrivacy directive, but this could be implied in most cases.

I can't see many customers allowing analytics cookies if given a choice.

If used correct, GA can be used without a consent.
For ga use

ga('set', 'anonymizeIp', true);

For gat use

_gaq.push(['_gat._anonymizeIp']);

and do not send any customers information like order id, customer id and so on.

Additionally a Google OptOut can be used - or at least should be used.

I started removing third party cookies from my OC shop, such as analytics and social media plugins. I probably only have first party cookies like the session ID, language, and currency. I also set the language and currency to expire on session by setting the time variable to 0.

The following site says first party session cookies do not need consent if they expire on close of session, are categorized as user-input (session ID) or user-interface-customization (language, currency after changing the expiration to session). The site mentions the term "Strictly necessary cookies". I see other sites implementing this in their privacy policy by stating their cookies are "strictly necessary" and some mention "session cookies only". There were also others that mention "legal basis is legitimate interest" but I don't know if this last part is necessary?http://ec.europa.eu/ipg/basics/legal/co ... dex_en.htm

Also, if you don't need consent for the session cookies, do you still need to notify the user with a popup cookie notification window?

Shipping estimator:

Is entering the post code, province, country in the shipping estimator considered processing of personal data? Or not personally identifiable data? Because they are stored temporarily and linked to the session ID and IP address.

Would you then have to disable the shipping estimator until the customer gives explicit consent to the privacy policy, for example by forcing them to log into or create a new account before showing them the estimator? No guest quotes?

FedEx (and UPS) modules send the post code, province, country to their third-party rate request API servers, which are possibly located in the US or foreign countries outside the EU. There might need to be something in the privacy policy stating this third-party sharing of data and transmission out of the EU. This might make it important to disable the shipping estimator if not logged into an account, and also might need to disable guest checkout since OC doesn't ask for policy acceptance for guests until the confirmation step. Registering during checkout asks for policy acceptance before reaching the shipping method section.

That link you posted relates to the ePrivacy directive, which is different to the GDPR. To make matters more confusing the ePrivacy directive is shortly to be replaced by the ePrivacy Regulation. Which one of it's proposals is to make the cookie rules simpler. https://ec.europa.eu/digital-single-mar ... regulation

My understanding is that under the ePrivacy directive you do not need consent to use cookies if they are essential for the website to work. So that would include the OpenCart session cookies, language, currency, etc. You should probably give information about them in you privacy or cookie notice pages. For other cookies, such as analytics ones, you probably would need consent. Most sites use implied consent so have a pop-up or bar saying by using the site you consent to cookies. That has been the situation for a few years and can have different interpretations in different member states.

For the DGPR you need to have a valid lawful basis in order to process personal data. There are 6 of these and the most common you would be likely to use would be for a contract. The other common one would be would be consent.

As I see it you don't need consent for the OpenCart session cookies as these are needed to process the order and generally allow a customer to do things on your site before placing an order (the contract). The language and currency cookies don't contain personal data so are not covered by the GDRP.

You also would not need consent for the shipping quote as again the customer is asking you to do that before place in an order. So again the basis is contract not consent. The same for the contact form.

I don't think a postcode on its own would be personal data as there will be more than one person at that postcode. So would be safe to send this to a shipping quote service.

I personally don't think a customer should need to agree to the privacy policy for the GDPR. In fact you could argue that it's bad having a checkbox as this could be confused with giving consent to process their data where contract basis would be more appropriate. You just need to tell them some basic information on what you are doing and link to the your privacy notice page.

I'm still not very familiar with the GDPR and am not an expert, but I suppose some countries might require that the privacy policy and TC be delivered to the customer during the sales. Even if what you say about not needing consent if the basis is for the contract, it might be necessary to have a record of the privacy policy and TC being read / presented before being able to submit the order.

There are a couple of very popular GDPR modules on the OC marketplace which record the checkbox along with the email address, copy of the policy or TC at the time, the date, etc. They also have a deletion / anonymize function but most of them are not clear about exactly which tables get affected by the function. I wish they were more descriptive. I noticed in the backend that some of the field for email in their "consent" list were anonymized, probably by using the deletion / anonymize function. But I wonder if a question comes up in the future about whether a past customer had received or consented to the privacy policy or TC, how would you prove that they did if you anonymize your records for the checkmark? I guess the main question is what data has to be anonymized or can remain intact.

I'm still not very familiar with the GDPR and am not an expert, but I suppose some countries might require that the privacy policy and TC be delivered to the customer during the sales. Even if what you say about not needing consent if the basis is for the contract, it might be necessary to have a record of the privacy policy and TC being read / presented before being able to submit the order.

One of the biggest Advantage of GDPR (the US will learn their lesson, sooner or later) is, that it is valid in all Countries around the Globe.
No matter if sit in Norway, France, Italy, Austria, South Africa, Nevada, Las Vegas, and so on ..

Why this?
Beause the moment you want to make Business with a customer coming from an European Country, you have to follow the GDPR and the regulations.
And because of that, the GDPR is everywhere the same and valid everywhere!

The Privacy Policy is not a contract, it is a Requirement and an Information you have to show your visitors (but following the Guidelines in the GDPR!).
Nobody has to agree with them - if someone does not like them, you will make no business.

The TC (guess you mean Terms of Contract .. ?) are the basis of the relationship between you and your customer.
In general, all European Countries have very strong Consumer Rights you cannot play against - or overrule!

And if you have only private Customers, forget any TC / TOC etc. - you will violate the already existing Rights.

Another thing is, if you have Business (additional beside B2C or only) Customers.
There you should have TC/TOC - because this the base, a contract between your business and the other business.
Where you can define your own rules (within the existing Lays and Regulations if course).

And if your customer does not read the Pricavy Statement or the TC/TOC - not your fault if they are too lazy.
No need to get consent.
But you have to publish them!

There are a couple of very popular GDPR modules on the OC marketplace which record the checkbox along with the email address, copy of the policy or TC at the time, the date, etc. They also have a deletion / anonymize function but most of them are not clear about exactly which tables get affected by the function.

Maybe popular because of
Better to ask: do they fullfill the GDPR?
I would say: no.

But I wonder if a question comes up in the future about whether a past customer had received or consented to the privacy policy or TC, how would you prove that they did if you anonymize your records for the checkmark? I guess the main question is what data has to be anonymized or can remain intact.

I guess you have to make each year a tax declaration?
Correct?
So, the question is more: how long do you have to store invoices, credit notes and similiar?
Ask your tax office - each Country has different amount of years you (the buiness owner) have to store such papers/records (everything between 7 and 15 years)
More years for Warranty cases.

This will give you an assumption which records in the tables can be deleted.
And which can be anonymized or pseudomized (not the same!!).
Basically all other than the order table.

May I recommend some to you?Please read the GDPR in your language - there are not so many pages to read, but each page is necessary for you!
After that, I am sure you will ask better if any questions.

I'm still not very familiar with the GDPR and am not an expert, but I suppose some countries might require that the privacy policy and TC be delivered to the customer during the sales. Even if what you say about not needing consent if the basis is for the contract, it might be necessary to have a record of the privacy policy and TC being read / presented before being able to submit the order.

There are a couple of very popular GDPR modules on the OC marketplace which record the checkbox along with the email address, copy of the policy or TC at the time, the date, etc. They also have a deletion / anonymize function but most of them are not clear about exactly which tables get affected by the function. I wish they were more descriptive. I noticed in the backend that some of the field for email in their "consent" list were anonymized, probably by using the deletion / anonymize function. But I wonder if a question comes up in the future about whether a past customer had received or consented to the privacy policy or TC, how would you prove that they did if you anonymize your records for the checkmark? I guess the main question is what data has to be anonymized or can remain intact.

While it's a good idea to keep an archive of your terms for your own records. I can't see the need to record them each time like the GDPR extensions do. What's more, the ones I looked at don't record anything about the newsletter subscription. Something you would need some record to prove consent for.

Again asking for consent when a customer enters their name and address before placing an order could be misleading.

From the ICO guidelines.

The ‘consent’ is a condition of service
If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for the processing. In some circumstances it won’t even count as valid consent.
Instead, if you believe the processing is necessary for the service, the more appropriate lawful basis is likely to be ’necessary for the performance of a contract’ under Article 6(1)(b). You are only likely to need to rely on consent if required to do so under another provision, such as for some electronic marketing under PECR.

So you should not need to gain or record consent to use a customers name and address to process the order. You would however need to gain and record consent to send them a newsletter. It seem clear that the GDPR extensions I've looked at are not doing this correctly.

While it's a good idea to keep an archive of your terms for your own records. I can't see the need to record them each time like the GDPR extensions do.

Well. I still see the need to record when the customer gave his consent (Agreement) - when he ticked the checkbox at checkout.
Why?
Because terms are changing, and when you change your terms you have to nofify your customers because these terms are the base of your business.
If something happen, you sould be able to prove the terms the customer has agreed - at the time he did.

This procedure is already inluded in one of my extensions since many years and helped a few customers when the had a legal dispute.

What's more, the ones I looked at don't record anything about the newsletter subscription. Something you would need some record to prove consent for.

Also some I have already in 2 of my extension since many years.
And the requirement here is not only to store the subscription and timestamp, much more important is that you do not use a simple checkbox for that agreement!

You need also to define what for this newsletter will be (e.g. only for new products or services, or promotions).
And send the correct newsletter based on this decision by the customer - after he has agreed to recieve Newsletters, because:

>>> you need also a confirmation of the subscription - a so called Double OptIn <<<Newsletter subscriptions are NO OptOut descisions, only OptIn - which also means no prechecked Checkboxes!

A customer has ordered items in the past, and the store owner received email copies of submitted online orders. Now the customer wants to make use of his right to be deleted. So the store owner can delete his account, no problem. But what about the order history in the database? Also, there will be plenty of emails in the store owner's email software (Outlook, or whatever email software he uses)? Does the latter need to be cleared as well from Outlook?

A customer has ordered items in the past, and the store owner received email copies of submitted online orders. Now the customer wants to make use of his right to be deleted. So the store owner can delete his account, no problem. But what about the order history in the database? Also, there will be plenty of emails in the store owner's email software (Outlook, or whatever email software he uses)? Does the latter need to be cleared as well from Outlook?

As written earlier here somewhere: you have to store only related data for your tax office (ask them how long in your country, between 7 and 15 years).

And the only document which es relevant for that is .. the Invoice.

If you have goods with a long(er) Warrantie than these years, you have to store them longer.

What (or where) is this data?
Only on the Invoice.
If you have a case of guaranty (not the same as warranty to not misunderstand them!), you should keep these records (e.g. emails) also.
Guaranty is very rare longer than 2 years.
Warranty could be up to 30 years.

Which Records to keep?
All in digital and paper form > Invoice (and Guaranty), if Warranty gets in effect then this years.

Which Records to delete?
Everything else.

Can I keep the data anyway?
Counter-question: what for?

In general: if you really want to keep the data (e.g. for statistics, etc.) and the records can be anonymized (not pseudomized !) and the final record let you never find how which person is meant, you can.

Taking all this in account, you delete a lot of data.

Btw: the so called Invoices in OpenCart are not valid Invoices!
An Invoice is something you cannot change after it is published.

I know not one customer who works with OpenCart to produce valid Invoices on that base.
And those of me who do, use an Extension of me which produce PDF.

Which means: basically also the order table in OpenCart can be deleted when a customer requests to delete all his data.

The internal captcha probably doesn't have personal data implications. You could switch to that one. Or is it easy to break?

We would also need to consider the use of Gmail account for receiving order notifications, since Google has access to the data and analyze the contents. Google servers might also be outside of the EEA. Also, need to consider what happens if you host OC on a server outside of the EEA. There is a section on the GDPR about transfer of data out of the EEA, the requirements for doing it and informing the users about it.

There also might be implications if you use Google Translate in Chrome to automatically translate your customer emails since Google gets a copy of the contents. Might be safer to disable translate in Chrome, and copy only non-identifiable text from the email and paste it into Translate directly. You might also want to disable Google Translate from reading your backend. And I used to have the Google Translate bar on the top of my website but I took it off.

Other embedded content like Google Maps and Youtube videos add and read cookies. I'm only going to use external links, no more iframes.

A customer has ordered items in the past, and the store owner received email copies of submitted online orders. Now the customer wants to make use of his right to be deleted. So the store owner can delete his account, no problem. But what about the order history in the database? Also, there will be plenty of emails in the store owner's email software (Outlook, or whatever email software he uses)? Does the latter need to be cleared as well from Outlook?

As written earlier here somewhere: you have to store only related data for your tax office (ask them how long in your country, between 7 and 15 years).

And the only document which es relevant for that is .. the Invoice.
Which means: basically also the order table in OpenCart can be deleted when a customer requests to delete all his data.

That is not true in the United Kingdom. Under UK VAT law (see HMRC rules under section 2.3 at the link below) you need to keep all manner of records for at least 6 years from the end of the last company financial year they relate to. Including orders and relevant business correspondence, which would mean the order history stored in the database.

If your are zero-rating VAT for sales outside the EU you will also have to keep other evidence, such as despatch or export. If you make digital sales and use the VAT MOSS service you have to keep some records 10 years.

What happens for example, if you store the OC site on an EEA server, then you go travelling outside the EEA and access your backend and look up order information from overseas on your mobile phone or laptop? Are you then making an international transfer of personal data? And if you save your email through IMAP/POP3 on your mobile phone that may contain order information and take the mobile phone with you overseas? How would you word this in the privacy policy? What about all the data from past customers from previous years that had a policy without the new text?

Similarly, if you make waybills with FedEx and UPS, their systems are international and personal data are most probably being exported. How would you word the privacy policy?

And suppose you relocate your business out of the EEA? How do you legally take the data with you out of the EEA?

As written, every shopowner has to know his business and the Laws in his country by himself.
Asking here questions how long to keep records, is a bit late ..

He has also to know which specific regulations he has to look for.

Fact is, that an Invoice has to be a non-editable document and is non-revokeable - it is an official document.

All OpenCart is not and has not per default.
It is then the question how your local tax office will trust the data(tables) in OpenCart/Database - I guess not (as it was at my last company audit!) because they can be edited at any time in any way.

The internal captcha probably doesn't have personal data implications. You could switch to that one. Or is it easy to break?

We would also need to consider the use of Gmail account for receiving order notifications, since Google has access to the data and analyze the contents. Google servers might also be outside of the EEA. Also, need to consider what happens if you host OC on a server outside of the EEA. There is a section on the GDPR about transfer of data out of the EEA, the requirements for doing it and informing the users about it.

There also might be implications if you use Google Translate in Chrome to automatically translate your customer emails since Google gets a copy of the contents. Might be safer to disable translate in Chrome, and copy only non-identifiable text from the email and paste it into Translate directly. You might also want to disable Google Translate from reading your backend. And I used to have the Google Translate bar on the top of my website but I took it off.

Other embedded content like Google Maps and Youtube videos add and read cookies. I'm only going to use external links, no more iframes.

They do seem to meet all the standards required. However this only seems to apply to the paid for business G Suite version of Gmail. Using the free personal version of Gmail would probably not be compatible with the GDPR. There is no way to agree a processing contract for one. There is in G Suite I believe.